‘Hidden Bee’ miner uses malvertising to lure victims

(Image from Pixabay)

Researchers at Malwarebytes discovered a malware that targets a vulnerability in Flash Player. The attackers resort to malvertising in adult sites to lure victims, whom they suspect are from Asian countries based on the advertisements used, to the exploit kit landing page.

Behind the supposedly online dating service is a malicious iframe that spreads the malware.

The researchers call the attack as a “drive-by download.” They noticed something unusual from the existing exploitation framework they are monitoring ” as referenced in late 2017 by Chinese security firm Qihoo360.”

The criminals are using “encryption to package exploits on-the-fly.” A key is needed from the server to be able to decrypt and execute the malware. The researchers also noted that the payload served is unusual “because it is not a standard PE file. Instead, it is a multiple-stage custom executable format, acting also as a downloader to retrieve LUA scripts used by the threat actors behind the Hidden Bee miner botnet. This was perhaps the first case of a bootkit being used to enslave machines mining cryptocurrencies.”

Exploit kits makes their landing page and exploits unintelligible or confusing. But for this exploit, the criminals decided to use encryptions and key exchange with the backend server to be able to deploy the malware. They use the block Base64 which is encoded and encrypted with RC4 and Rabbit algorithms that started from a webpage.

The attackers use their own private RSA key to decrypt the server.

“However, researchers who just have the traffic captured cannot retrieve the original session key, and replaying the exploit is impossible. Thankfully, we managed to capture the exploit during dynamic analysis,” the researchers in Malwarebytes noted.

They also said that the newer Flash exploit was not part of the exploit toolkit the Qihoo documented.

The researchers consider this as a sophisticated attack for its use of multiple technologies in the exploit delivery and payload package. “According to our telemetry, we believe it is also focused on a select few Asian countries, which makes sense when taking its payload into consideration,” they said.

There has been a slowdown in the use of exploit kits but the actors are persistent as evidenced by this latest attack.